sql - Python/SQLite3 escaping in WHERE-Clause -

-

How do I survive in Python for SQLite3?

If I have many questions for this (Google search or Stackoverflow) and every time the feedback is something like this: 

  dbcursor.execute ("SELECT * FROM` foo 'Where's the' bar '? ", [" Phobar "])

This helps against SQL-injection, and if I only comperations with" = " So enough, but it certainly does not use wildcards.

So if I set 

  cursor.exicute (u) "cookies set" cookies, then `counter` =? WHERE 'Empty Name' iii? ", (Cookies, names))

Some users may supply"% "for a nickname and will replace all cookie entries with one line. I can (ie ... maybe I'll forget at least one of those Wildcards), I can use lowercase on nick and nickname and I can change "IIL" with "=", but I actually What I would like to do with some of the lines: 

  foo = sqlesc Ape (nick) + "%" cursor.extech (u) "set cookies" set `calculation` =? Where` nickname 'iii?", (Cookies, foo))

You have saved full code injection using parametric queries. Now it seems that you are trying to match a pattern with the data given by the user, but you want that the portion provided by the user of the data will not be considered as real data (hence no wildcard). You have several options:

  1. Simply filter the input as the wildcard in the form of SQLite's like only % and _ , so it is very difficult to get it wrong just to ensure the input input filter (my preferred method: filter before creating the query, not when user input is read). Typically, removal of the "whitelist" approach is considered to be more safe and easy than the typical dangerous character, its string (and any "less-known wildcard" , As you say) instead of deleting % and _ , scan your string and only keep the characters that you want. For example, if your "alias" contains ASCII characters, digits, "-" and "." , It can be cleared in such a way: 

      name = re.sub ("[^ A This solution is specific to the particle area that you are matching And works well for major areas and other identifiers. If I had to search with  RLIKE  then I would definitely do it in a manner that accepts full regular expressions, so its There are too many characters.

  2. If you do not want users If the client can supply the wildcard, why would you use like in your query? If your questions come from many places in the input code (or you may be writing a library too) ), You can make your query secure if you can completely avoid LIKE :

    • here:

      < Pre> SELECT * FROM ... WHERE name = 'any' COLLATE NOCASE

    • In your example, you can specify prefix matching (" sqlescape ( Nick) + "%" "). How to do it with exact search: 

        size = lane (nick) cursor.extech (u)" cookies "set` calculation` =? WHERE substr (`nickname`, 1,?) =? ", (Cookies, size, nick))

Comments

Post a Comment

Popular posts from this blog

import - Python ImportError: No module named wmi -

-
I followed the instructions for downloading WMI for Python When I try to run the code for C.Win32_Service (StartMode = "Auto", state = "Stopped") import wmi c = wmi.WMI (): if Raw_input ("restart% s?"% S.Caption) .upper () == "Y": s.StartService () I got the error < Code> traceback (most recent call end): file ". \", Line 1, edit: I am using Python 2.7.6 EDIT2: I am running 64-bit Windows 2008 R2, and I've downloaded WMI-1.4.9.zip (md5). I removed the content and put it in D: Python \ Tools \ Scripts I executed dragon setup.py.install I said D : \ Python \ tools \ scripts to% PATH% and when I execute the code for C.Win32_Service (StartMode = "Auto", state = "Stopped") import wmi c = Wmi.WMI (): If raw_input ("Restart% s?"% S. Caption). () == "Y": s.StartService () error me Gets traceback (most recent call final): File ". See \", line 1, &
Read more

Editing Python Class in Shell and SQLAlchemy -

-
I am working on the terminal on a shell script after this tutorial SQLAlchemy tutorial. I need to type gt; & Gt; & Gt; Sqlalchemy import column, integer, string & gt; & Gt; & Gt; Class user (base): __tablename__ = 'users' id = column (integer, primary_key = true) name = column (string) absolute name = column (string) password = column (string) def __repr __ (self): return "& lt ; User (name = '% s', absolute name = '% s', password = '% s') & gt; "% (Self.name, self.fullname, self.password) After the problem I have typed the password = column (string) I hit twice and changed .... >> I then took everything back but then an error was thrown because the class already exists ... I am not completely sure how to fix it. How do I open that slip in the shell script and edit it (Add DF to DRR) The error thrown below: / user / giripeters / TFSQLLX / Lib / python2.7 / site-packages / sqlalchemy / ext / decla
Read more

c# - MySQL Parameterized Select Query joining tables issue -

-
I am using parameterized select questions in conjunction with my program and it works entirely, When I try to join the table Everything I have done is a small fraction: using (MySqlCommand cmd = new MySqlCommand (paramQuery) ToSql (), Connection)) /etc/ paramQuery.ToSql () Equal: "Select TableOne ID, Tableon, Department, Tablet. One by name table, Table 2 h Yes TableOnEID = @Pharmak "* / for (Int Index = 0; Index and Lt; ParamariX Parameter (.c calculation; Index ++) Cmd.Parameters.AddWithValue (paramQuery.Parameters (). ElementAt (index). , ParamQuery.Parameters (). ElementAt (index) .Value); / * ParamQuery.Parameters (). ElementAt (index) .k = "@most 0" paramQuery.Parameters (). ElementAt (index) .Value = "tableTwo.ID" * / MySqlDataReader Reader = cmd.ExecuteReader (); While (reader.Read ()) {// do stuff} } One of the tables I attempt to join is For the table, two with the same id for all. Is there something that I'm doing wrong?
Read more